Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services

a technology of domain generation algorithm and malware, applied in the field of computer security, can solve the problems of malware operator redundancy, malware will likely need several attempts to find a current, and network-based solutions will often fail for encrypted communication

Active Publication Date: 2019-11-19
CYBEREASON
View PDF4 Cites 1 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0023]The present invention offers a solution on the defense side, which is to detect when an attempt was made to access a contact point which does not exist. In addition, the operator of the malware must have redundancy in the usage of DGA. Some possible command and control (C&C) will not be used or will be used for very short time periods. Thus, when malware rapidly attempts to access many contact points such as multiple C&C channels, a malware is likely to need several attempts to find a current C&C channel.

Problems solved by technology

In addition, the operator of the malware must have redundancy in the usage of DGA.
Thus, when malware rapidly attempts to access many contact points such as multiple C&C channels, a malware is likely to need several attempts to find a current C&C channel.
Network-based solutions will often fail for encrypted communication, for example websites which use the HTTPS protocol, and therefore only an endpoint-based solution will be able to detect these indications of non-existence.
However, in many cases the algorithm will not have such specific knowledge.
Such a mistake will be what happens when a DGA attempts to access something which does not exist.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services
  • Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services
  • Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services

Examples

Experimental program
Comparison scheme
Effect test

example 1

[0046]FIG. 2 illustrates the Twitter web service application for a random nonexistent username. Choosing a random Twitter name login sasasfassasafa 201 goes to the url https: / / twitter.com / sasasfassasafa 202. Twitter provides a webpage 204. FIG. 3 illustrates the Twitter web service application for another random nonexistent username. Choosing another random Twitter name login jershtrejkbgt 301 goes to the url https: / / twitter.com / jershtrejkbgt 302 and finds a similar webpage 304. Note that the two pages look very similar and have similar wording (the earth movers distance is just the difference of the two random Twitter name login strings). However, if one goes to a valid Twitter page (https: / / twitter.com / cybereason) (FIG. 4) there is something very different.

[0047]Note that the difference between Cybereason's Twitter page 400 and the random pages (FIGS. 2 and 3) (using e.g., the Earth movers distance) is very large. Thus, one can detect the instance in which a valid result is return...

example 2

[0049]FIG. 5 illustrates the Gmail web service application 500 after choosing a random nonexistent email 501 to log into Gmail email. FIG. 6 illustrates the Gmail web service application 600 after choosing a valid email 601 to log into Gmail email.

[0050]As can be seen in FIG. 6 a valid account 600 has different properties than an invalid account 500 (text saying “Sign in with a different account”604 rather than text saying “Create account”504, the appearance of the email which was attempted to be used 601 under the valid username 606, a sign in box 602 as opposed to a next box 502, a lack of the red text 506 saying that the email is incorrect, the appearance of a graphic with the first letter of the user's name 608 rather than a default person-outline 508, text saying “Need help?”610 rather than “Find my account”510, the appearance of a password box 612 rather than a red alert surrounding the invalid email 512, etc.).

[0051]The difference between invalid attempts (note that the only ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

A method, computer program product, system and apparatus for the prevention of RGA and DGA malware over an existing internet service is disclosed. The invention exploits the fact that when malware rapidly attempts to access many contact points, a malware is likely to need several attempts to find a current server. Software is installed on the individual endpoints in a network of internet services. The software monitors the websites or services and collects information about access attempts. The invention detects a series of failed attempts by the malware to access the service / website. These attempts can be accrued by being temporally linked (e.g., many attempts in a short time, many attempts consecutively), conceptually linked (e.g., similar addresses, similar attempts across multiple machines or time scales), higher than normal prevalence or other methods. The invention provides an indication of a malware attempt if enough failed attempts have accrued.

Description

[0001]This application claims the benefit of U.S. Provisional Application No. 62 / 273,768, filed Dec. 31, 2015, the entire disclosure of which is herein incorporated by reference.TECHNICAL FIELD OF THE INVENTION[0002]The present invention relates to computer security, and more specifically to prevention of malware attacks.BACKGROUND OF THE INVENTION[0003]There are many types of malware which communicate back to their controller. These communications can consist of receiving commands and updates, exfiltrating data and passing other information in either direction. However, the use of single (or a small number of) pre-defined or hardcoded web-based points of communication (i.e. “rendezvous locations”) such as a single domain, email address, twitter account, etc. to which the malware can connect, leaves the malware vulnerable to being disrupted by the loss of control of that rendezvous location. Such loss can occur most frequently when law enforcement or cyber-security organizations tak...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(United States)
IPC IPC(8): H04L29/06G06F16/958H04L29/08G06F21/55H04L29/12
CPCH04L63/145H04L63/1425G06F16/958G06F21/554G06F21/556H04L67/02H04L63/1416H04L2463/144H04L61/1511H04L61/4511
Inventor STERNFELD, URISTRIEM-AMIT, YONATAN
Owner CYBEREASON
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap